From 9588b78eb0a53c40ce96606f5329eec9df86217c Mon Sep 17 00:00:00 2001
From: Christian Marangi <ansuelsmth@gmail.com>
Date: Thu, 14 Dec 2023 15:00:52 +0100
Subject: [PATCH] simple_http: Convert to WolfSSL

Fully convert to WolfSSL as recent version of WolfSSL dropped the
support shims for CyaSSL.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
---
 configure.in      |  45 ++++++++---------
 src/simple_http.c | 122 +++++++++++++++++++++++-----------------------
 2 files changed, 81 insertions(+), 86 deletions(-)

--- a/configure.in
+++ b/configure.in
@@ -85,48 +85,45 @@ AC_SUBST(enable_latex_docs)
 # Acutally perform the doxygen check
 BB_ENABLE_DOXYGEN
 
-# Enable cyassl?
-AC_DEFUN([BB_CYASSL],
+# Enable wolfssl?
+AC_DEFUN([BB_WOLFSSL],
 [
-AC_ARG_ENABLE(cyassl, [  --enable-cyassl        enable TLS support for auth server communication (no)], [], [enable_cyassl=no])
-if test "x$enable_cyassl" = xyes; then
-        # CyaSSL has been renamed wolfSSL. Old method names are still available
-        # via cyassl/ssl.h, which maps old methods to new methods via macros.
-        # To find the proper lib to link against (cyassl or wolfssl), we do have
-        # the use the new naming scheme below as cyassl/ssl.h is not available for
-        # AC_SEARCH_LIBS
-        AC_CHECK_HEADERS(cyassl/ssl.h)
-        AC_SEARCH_LIBS([CyaTLSv1_client_method], [cyassl], [], [
-            AC_SEARCH_LIBS([wolfTLSv1_client_method], [wolfssl], [], [
-                            AC_MSG_ERROR([unable to locate SSL lib: either wolfSSL or CyaSSL needed.])
-            ])
+AC_ARG_ENABLE(wolfssl, [  --enable-wolfssl        enable TLS support for auth server communication (no)], [], [enable_wolfssl=no])
+if test "x$enable_wolfssl" = xyes; then
+        AC_CHECK_HEADERS(wolfssl/ssl.h, [], [],
+        [
+                #include <wolfssl/options.h>
+        ])
+        AC_SEARCH_LIBS([wolfTLSv1_client_method], [wolfssl], [], [
+                AC_MSG_ERROR([unable to locate SSL lib: wolfSSL needed.])
         ])
 
-        AC_MSG_CHECKING([for the CyaSSL SNI enabled])
+        AC_MSG_CHECKING([for the Wolfssl SNI enabled])
         AC_LINK_IFELSE([AC_LANG_PROGRAM(
         [[
                 #define HAVE_SNI
-                #include <cyassl/ssl.h>
+                #include <wolfssl/options.h>
+                #include <wolfssl/ssl.h>
         ]], [[
-                CYASSL_CTX *ctx;
-                CyaSSL_Init();
-                ctx = CyaSSL_CTX_new(CyaTLSv1_client_method());
-                CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, "wifidog.org", 11);
+                WOLFSSL_CTX *ctx;
+                wolfSSL_Init();
+                ctx = wolfSSL_CTX_new(wolfTLSv1_client_method());
+                wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, "wifidog.org", 11);
         ]])], [enabled_sni=yes], [enabled_sni=no])
 
         if test "x$enabled_sni" = xyes; then
                 AC_MSG_RESULT([yes])
-                AC_DEFINE([HAVE_SNI],, "Compile with CyaSSL SNI support")
+                AC_DEFINE([HAVE_SNI],, "Compile with wolfssl SNI support")
         else
                 AC_MSG_RESULT([no])
         fi
 
-        AC_DEFINE(USE_CYASSL,, "Compile with CyaSSL support")
+        AC_DEFINE(USE_WOLFSSL,, "Compile with wolfssl support")
 fi
 ])
 
-# Actually perform the cyassl check
-BB_CYASSL
+# Actually perform the wolfssl check
+BB_WOLFSSL
 
 
 
--- a/src/simple_http.c
+++ b/src/simple_http.c
@@ -28,6 +28,7 @@
 #include <arpa/inet.h>
 #include <errno.h>
 #include <unistd.h>
+#include <pthread.h>
 #include <string.h>
 #include <syslog.h>
 
@@ -36,17 +37,14 @@
 #include "debug.h"
 #include "pstring.h"
 
-#ifdef USE_CYASSL
-#include <cyassl/ssl.h>
+#ifdef USE_WOLFSSL
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>
 #include "conf.h"
-/* For CYASSL_MAX_ERROR_SZ */
-#include <cyassl/ctaocrypt/types.h>
-/* For COMPRESS_E */
-#include <cyassl/ctaocrypt/error-crypt.h>
 #endif
 
-#ifdef USE_CYASSL
-static CYASSL_CTX *get_cyassl_ctx(const char *hostname);
+#ifdef USE_WOLFSSL
+static WOLFSSL_CTX *get_wolfssl_ctx(const char *hostname);
 #endif
 
 /**
@@ -133,48 +131,48 @@ http_get(const int sockfd, const char *r
     return NULL;
 }
 
-#ifdef USE_CYASSL
+#ifdef USE_WOLFSSL
 
-static CYASSL_CTX *cyassl_ctx = NULL;
-static pthread_mutex_t cyassl_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static WOLFSSL_CTX *wolfssl_ctx = NULL;
+static pthread_mutex_t wolfssl_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
 
-#define LOCK_CYASSL_CTX() do { \
-	debug(LOG_DEBUG, "Locking CyaSSL Context"); \
-	pthread_mutex_lock(&cyassl_ctx_mutex); \
-	debug(LOG_DEBUG, "CyaSSL Context locked"); \
+#define LOCK_WOLFSSL_CTX() do { \
+	debug(LOG_DEBUG, "Locking WolfSSL Context"); \
+	pthread_mutex_lock(&wolfssl_ctx_mutex); \
+	debug(LOG_DEBUG, "WolfSSL Context locked"); \
 } while (0)
 
-#define UNLOCK_CYASSL_CTX() do { \
-	debug(LOG_DEBUG, "Unlocking CyaSSL Context"); \
-	pthread_mutex_unlock(&cyassl_ctx_mutex); \
-	debug(LOG_DEBUG, "CyaSSL Context unlocked"); \
+#define UNLOCK_WOLFSSL_CTX() do { \
+	debug(LOG_DEBUG, "Unlocking WolfSSL Context"); \
+	pthread_mutex_unlock(&wolfssl_ctx_mutex); \
+	debug(LOG_DEBUG, "WolfSSL Context unlocked"); \
 } while (0)
 
-static CYASSL_CTX *
-get_cyassl_ctx(const char *hostname)
+static WOLFSSL_CTX *
+get_wolfssl_ctx(const char *hostname)
 {
     int err;
-    CYASSL_CTX *ret;
+    WOLFSSL_CTX *ret;
     s_config *config = config_get_config();
 
-    LOCK_CYASSL_CTX();
+    LOCK_WOLFSSL_CTX();
 
-    if (NULL == cyassl_ctx) {
-        CyaSSL_Init();
-        /* Create the CYASSL_CTX */
+    if (NULL == wolfssl_ctx) {
+        wolfSSL_Init();
+        /* Create the WOLFSSL_CTX */
         /* Allow TLSv1.0 up to TLSv1.2 */
-        if ((cyassl_ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL) {
-            debug(LOG_ERR, "Could not create CYASSL context.");
-            UNLOCK_CYASSL_CTX();
+        if ((wolfssl_ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())) == NULL) {
+            debug(LOG_ERR, "Could not create WOLFSSL context.");
+            UNLOCK_WOLFSSL_CTX();
             return NULL;
         }
 
         if (config->ssl_cipher_list) {
             debug(LOG_INFO, "Setting SSL cipher list to [%s]", config->ssl_cipher_list);
-            err = CyaSSL_CTX_set_cipher_list(cyassl_ctx, config->ssl_cipher_list);
+            err = wolfSSL_CTX_set_cipher_list(wolfssl_ctx, config->ssl_cipher_list);
             if (SSL_SUCCESS != err) {
                 debug(LOG_ERR, "Could not load SSL cipher list (error %d)", err);
-                UNLOCK_CYASSL_CTX();
+                UNLOCK_WOLFSSL_CTX();
                 return NULL;
             }
         }
@@ -183,12 +181,12 @@ get_cyassl_ctx(const char *hostname)
         if (config->ssl_use_sni) {
             debug(LOG_INFO, "Setting SSL using SNI for hostname %s",
                 hostname);
-            err = CyaSSL_CTX_UseSNI(cyassl_ctx, CYASSL_SNI_HOST_NAME, hostname,
+            err = wolfSSL_CTX_UseSNI(wolfssl_ctx, WOLFSSL_SNI_HOST_NAME, hostname,
                       strlen(hostname));
             if (SSL_SUCCESS != err) {
                 debug(LOG_ERR, "Could not setup SSL using SNI for hostname %s",
                     hostname);
-                UNLOCK_CYASSL_CTX();
+                UNLOCK_WOLFSSL_CTX();
                 return NULL;
             }
         }
@@ -196,28 +194,28 @@ get_cyassl_ctx(const char *hostname)
 
         if (config->ssl_verify) {
             /* Use trusted certs */
-            /* Note: CyaSSL requires that the certificates are named by their hash values */
+            /* Note: WolfSSL requires that the certificates are named by their hash values */
             debug(LOG_INFO, "Loading SSL certificates from %s", config->ssl_certs);
-            err = CyaSSL_CTX_load_verify_locations(cyassl_ctx, NULL, config->ssl_certs);
+            err = wolfSSL_CTX_load_verify_locations(wolfssl_ctx, NULL, config->ssl_certs);
             if (err != SSL_SUCCESS) {
                 debug(LOG_ERR, "Could not load SSL certificates (error %d)", err);
                 if (err == ASN_UNKNOWN_OID_E) {
-                    debug(LOG_ERR, "Error is ASN_UNKNOWN_OID_E - try compiling cyassl/wolfssl with --enable-ecc");
+                    debug(LOG_ERR, "Error is ASN_UNKNOWN_OID_E - try compiling wolfssl/wolfssl with --enable-ecc");
                 } else {
                     debug(LOG_ERR, "Make sure that SSLCertPath points to the correct path in the config file");
                     debug(LOG_ERR, "Or disable certificate loading with 'SSLPeerVerification No'.");
                 }
-                UNLOCK_CYASSL_CTX();
+                UNLOCK_WOLFSSL_CTX();
                 return NULL;
             }
         } else {
-            CyaSSL_CTX_set_verify(cyassl_ctx, SSL_VERIFY_NONE, 0);
+            wolfSSL_CTX_set_verify(wolfssl_ctx, SSL_VERIFY_NONE, 0);
             debug(LOG_INFO, "Disabling SSL certificate verification!");
         }
     }
 
-    ret = cyassl_ctx;
-    UNLOCK_CYASSL_CTX();
+    ret = wolfssl_ctx;
+    UNLOCK_WOLFSSL_CTX();
     return ret;
 }
 
@@ -237,20 +235,20 @@ https_get(const int sockfd, const char *
     fd_set readfds;
     struct timeval timeout;
     unsigned long sslerr;
-    char sslerrmsg[CYASSL_MAX_ERROR_SZ];
+    char sslerrmsg[WOLFSSL_MAX_ERROR_SZ];
     size_t reqlen = strlen(req);
     char readbuf[MAX_BUF];
     char *retval;
     pstr_t *response = pstr_new();
-    CYASSL *ssl = NULL;
-    CYASSL_CTX *ctx = NULL;
+    WOLFSSL *ssl = NULL;
+    WOLFSSL_CTX *ctx = NULL;
 
     s_config *config;
     config = config_get_config();
 
-    ctx = get_cyassl_ctx(hostname);
+    ctx = get_wolfssl_ctx(hostname);
     if (NULL == ctx) {
-        debug(LOG_ERR, "Could not get CyaSSL Context!");
+        debug(LOG_ERR, "Could not get WolfSSL Context!");
         goto error;
     }
 
@@ -260,28 +258,28 @@ https_get(const int sockfd, const char *
         goto error;
     }
 
-    /* Create CYASSL object */
-    if ((ssl = CyaSSL_new(ctx)) == NULL) {
-        debug(LOG_ERR, "Could not create CyaSSL context.");
+    /* Create WOLFSSL object */
+    if ((ssl = wolfSSL_new(ctx)) == NULL) {
+        debug(LOG_ERR, "Could not create WolfSSL context.");
         goto error;
     }
     if (config->ssl_verify) {
         // Turn on domain name check
         // Loading of CA certificates and verification of remote host name
         // go hand in hand - one is useless without the other.
-        CyaSSL_check_domain_name(ssl, hostname);
+        wolfSSL_check_domain_name(ssl, hostname);
     }
-    CyaSSL_set_fd(ssl, sockfd);
+    wolfSSL_set_fd(ssl, sockfd);
 
     debug(LOG_DEBUG, "Sending HTTPS request to auth server: [%s]\n", req);
-    numbytes = CyaSSL_send(ssl, req, (int)reqlen, 0);
+    numbytes = wolfSSL_send(ssl, req, (int)reqlen, 0);
     if (numbytes <= 0) {
-        sslerr = (unsigned long)CyaSSL_get_error(ssl, numbytes);
-        CyaSSL_ERR_error_string(sslerr, sslerrmsg);
-        debug(LOG_ERR, "CyaSSL_send failed: %s", sslerrmsg);
+        sslerr = (unsigned long)wolfSSL_get_error(ssl, numbytes);
+        wolfSSL_ERR_error_string(sslerr, sslerrmsg);
+        debug(LOG_ERR, "WolfSSL_send failed: %s", sslerrmsg);
         goto error;
     } else if ((size_t) numbytes != reqlen) {
-        debug(LOG_ERR, "CyaSSL_send failed: only %d bytes out of %d bytes sent!", numbytes, reqlen);
+        debug(LOG_ERR, "WolfSSL_send failed: only %d bytes out of %d bytes sent!", numbytes, reqlen);
         goto error;
     }
 
@@ -300,14 +298,14 @@ https_get(const int sockfd, const char *
                         /** We don't have to use FD_ISSET() because there
 			 *  was only one fd. */
             memset(readbuf, 0, MAX_BUF);
-            numbytes = CyaSSL_read(ssl, readbuf, MAX_BUF - 1);
+            numbytes = wolfSSL_read(ssl, readbuf, MAX_BUF - 1);
             if (numbytes < 0) {
-                sslerr = (unsigned long)CyaSSL_get_error(ssl, numbytes);
-                CyaSSL_ERR_error_string(sslerr, sslerrmsg);
+                sslerr = (unsigned long)wolfSSL_get_error(ssl, numbytes);
+                wolfSSL_ERR_error_string(sslerr, sslerrmsg);
                 debug(LOG_ERR, "An error occurred while reading from server: %s", sslerrmsg);
                 goto error;
             } else if (numbytes == 0) {
-                /* CyaSSL_read returns 0 on a clean shutdown or if the peer closed the
+                /* WolfSSL_read returns 0 on a clean shutdown or if the peer closed the
                    connection. We can't distinguish between these cases right now. */
                 done = 1;
             } else {
@@ -326,7 +324,7 @@ https_get(const int sockfd, const char *
 
     close(sockfd);
 
-    CyaSSL_free(ssl);
+    wolfSSL_free(ssl);
 
     retval = pstr_to_string(response);
     debug(LOG_DEBUG, "HTTPS Response from Server: [%s]", retval);
@@ -334,7 +332,7 @@ https_get(const int sockfd, const char *
 
  error:
     if (ssl) {
-        CyaSSL_free(ssl);
+        wolfSSL_free(ssl);
     }
     if (sockfd >= 0) {
         close(sockfd);
@@ -344,4 +342,4 @@ https_get(const int sockfd, const char *
     return NULL;
 }
 
-#endif                          /* USE_CYASSL */
+#endif                          /* USE_WOLFSSL */
